Closed c4-submissions closed 10 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as primary issue
NO,
In console guard, only safe guard and fallback handler states are checked on chain, so that the safe guard will invoke further validation via trusted validator signature can ensure all other state is in place
0xad1onchain (sponsor) acknowledged
alex-ppg marked the issue as duplicate of #412
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-10-brahma/blob/main/contracts/lib/safe-contracts/contracts/base/ModuleManager.sol#L56-L73 https://github.com/code-423n4/2023-10-brahma/blob/main/contracts/src/core/TransactionValidator.sol#L95-L107
Vulnerability details
Impact
A
SubAccount
module can renounceConsole
's access, removeSafeModerator
to bypass Trusted Validator signature check andSubaccount
security checks, and removeConsoleFallbackHandler
. Module could also steal user funds and renounce owners.Description
The sponsor stated 5 main invariants, an arbitrary module can break 3 of them:
A module introduced to
SubAccount
-Safe
can remove the mainConsole
account's module access, removeSafeModerator
guard and remove theConsoleFallbackHandler
. Note that these actions are not manually changed by the Main Console, themodule
will have full access to execute inSubAccount
.safe-contracts/contracts/base/ModuleManager.sol
-execTransactionFromModule()
Since the arbitrary
module
has unlimited access to theSubAccount
with no checks: it could also steal user funds and renounce owners of theSafe
SubAccount
. Consider disallowing arbitrary modules since it's a big security risk to anySafe
.Proof of Concept
test/branch-trees/SafeDeployer/deploy-console-account/DeployConsoleAccount.t.sol
executeSafeTxHelper()
helper function) inSafeDeployer_DeployConsoleAccountTest
contractrun
make test_func P=testDeployConsoleWithSubAccount_BreakInvariants_0xfuje
Recommended Mitigation
Consider forbidding arbitrary modules in
SubAccount
and to only allow theConsole
account to operate as a module. This can be archived by saving a hash of all existing modules pre-transaction to a storage variable and checking if it's the same post-transaction. An example implementation inTransactionValidator.sol
:Assessed type
Library